> How do we adjust FreeIPA such that it ensures Deny-IPASudoRules precede any > Allow-IPASudoRules ? > So it looks like current schema would not fly well with SUDO due to SUDO bug/feature. SUDO will match just any first rule that satisfies the user-hpost-command combination but we can't guarantee that rules come in the same order. So there is a possibility that allow rule will come before deny rule in our case and will be matched. It is unfortunate and should be fixed by SUDO. In a meantime we need to alter the schema to be able to express allowed and not allowed commands in one rule. It will be up to the admin to know the limitations of SUDO based on the documentation we provide and construct the rules in a non contradicting way. We might be able to add some nice checks in future.
So here is current schema: objectClasses: (2.16.840.1.1137188.8.131.52.TBD NAME 'ipaSudoRule' SUP ipaAssociation STRUCTURAL MUST accessRuleType MAY ( externalUser $ externalHost $ hostMask $ memberCmd $ cmdCategory $ ipaSudoOpt $ ipaSudoRunAs $ ipaSudoRunAsExtUser $ ipaSudoRunAsUserCategory $ ipaSudoRunAsGroup $ ipaSudoRunAsExtGroup $ ipaSudoRunAsGroupCategory ) X-ORIGIN 'IPA v2' ) We will : * Remove accessRuleType * Add memberNotCmd same a memberCmd attributeTypes: (2.16.840.1.1137184.108.40.206.TBD NAME 'memberNotCmd' DESC 'Reference to a command or group of the commands that is not allowed.' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 220.127.116.11.4.1.1418.104.22.168.12 X-ORIGIN 'IPA v2' ) The logic then will be: * If no memberCmd, memberNotCmd or cmdCategory attribute is specified - no command is allowed * If cmdCategory is specified (only value is "all") all other attributes are ignored and all commands are allowed * If cmdCategory is not specified * If memberCmd is specified it defines commands or groups of the commands that are allowed * If memberNotCmd is specified it defines commands or groups of the commands that are not allowed Both attributes are allowed at the same time defining allowed and not allowed commands within the same rule. This does not solve the problem fully but at least gets us into the same boat as current SUDO schema. Comments welcome! If there are no objections by end of Friday I will craft a patch over the weekend. Thanks Dmitri _______________________________________________ Freeipa-devel mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-devel